Perspectives on Vulnerabilities, ERM, and Audit Services

 對漏洞、ERM和審計服務的看法
 

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

第四次工業革命正在全球范圍內進行，一場由快速、大規模的數字技術所推動的數字革命。體現在高速移動互聯網功能，人工智能（AI）和機器學習等領域。云計算是這種轉變的先鋒。因此，各種不同規模、部門和地域的組織都非常迅速地增加了對云計算的使用。根據Gartner（2019）的數據，超過三分之一的企業將云投資視為三大優先項目。公共云服務市場預計到2020年將達到驚人的2660億美元。

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

云計算的擴散和廣泛應用的一個驅動力是當前的數字化轉型。在2016年的一次演講中，微軟首席執行官薩蒂亞·納德拉（Satya Nadella）提出了對數字化轉型的持久性描述：“與客戶更加緊密地接觸，增強員工的能力，優化他們的業務運營方式，并利用數字內容改變他們提供的產品和服務”。從云計算的角度來看，這些好處包括對成本高昂且難以更新和管理的內部IT基礎設施的管理和業務外包；優化和擴展存儲、軟件和應用程序支持；提高速度和處理能力；降低成本。因此，各種規模、地域和行業的組織，包括會計師事務所及其客戶，都在開發自己的私有云，或者從云服務提供商（CSP）購買公共云服務，比如微軟Azure和Amazon AWS。

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

雖然這些潛在的好處是引人注目的，但市場情報顯示，云計算加劇了風險，并創造了新的和意想不到的風險。例如，云安全漏洞暴露了多達1400萬美國Verizon客戶的姓名、地址和賬戶詳細信息。在這種情況下，不難想象由于當前的冠狀病毒（COVID-19）大流行造成的意外中斷和遠程辦公的快速轉換，可能會出現與云相關的潛在網絡安全漏洞和服務故障。一方面，因為云計算能夠立即、快速、無縫地訪問必要的數據、軟件和應用程序，使得工作人員在意外情況下過渡到遠程工作成為可能。另一方面，這種意外的中斷和快速轉換加劇了現有的風險，并在員工從遠程位置訪問數據時產生了新的風險；例如，數據機密性遭到破壞、未經授權的訪問以及系統可用性故障。

The Cloud’s Impact

云帶來的影響

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

美國國家標準與技術研究所（NIST）將云計算定義為一種能夠按需訪問可配置計算資源（如網絡、服務器、存儲應用程序、服務）的共享池的方法，這些資源可以快速調配和發布。簡單地說，云就是分布在全球各地的大型服務器集群（例如云農場）。云農場由亞馬遜AWS等CSP供應商運營，這些供應商提供一系列托管服務。

Exhibit 2

Cloud Transparency

云透明度

The KPMG Audit Committee Institute highlighted “understanding technology’s impact”—with a reference to cloud computing—as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

KPMG審計委員會研究所（KPMG Audit Committee Institute）強調了“理解技術的影響”，并將云計算作為審計委員會2020年議程中需要考慮的七個項目之一。在這種情況下，組織需要透明化CSP供應商的性質、范圍和位置以及他們的云活動的性能。

· What is our enterprise-wide cloud footprint?

· 我們企業的云足跡是什么？

o Do we have an inventory of cloud activities?

o 我們有云計算活動的清單嗎？

o Where are our servers, software, and applications?

o 我們的服務器、軟件和應用程序在哪里？

· Who is responsible and accountable for cybersecurity, system recovery, and controls?

· 誰負責網絡安全、系統恢復和控制？

o Is there a heat-map valuing data stored in private and public clouds, by location?

o 是否有熱圖可以按位置對存儲在私有和公共云中的數據進行評估？

o Are shared-responsibilities for performance, availability, cybersecurity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?

o 服務水平協議（SLA）中是否明確規定并正式規定了性能、可用性、網絡安全和第三方保證的共同責任？

o Which global jurisdiction regulations are we subject to?

o 我們要遵守哪些全球管轄法規？

o Do management, the board, CSPs, and auditors understand cloud risks?

o 管理層、董事會、CPS和審計師了解云風險嗎？

o What are the CSP contractual requirements and SLA terms and commitments?

o CSP合同要求和SLA條款和承諾是什么？

· Who is accessing our data, and why? Can they see our draft 10-K and trade secrets?

· 誰在訪問我們的數據，為什么？他們能看到我們的10-K草案和商業機密嗎？

o Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?

o 我們的主要CSP是否將我們的云需求分包給其他CSP分包商（即第三方和第四方風險）？

o Are other jurisdictions accessing our data and surveilling our activities?

o 其他司法管轄區是否在訪問我們的數據并監督我們的活動？

o Do accountants, lawyers, and other vendors safeguard access and storage of our data?

o 會計師、律師和其他供應商是否保護我們數據的訪問和存儲？

· Is shared responsibility for risk management strategy, methods, and skills designed properly and operating effectively?

· 風險管理策略、方法和技能的共同責任是否設計得當并有效運作？

o Are we monitoring breaches and system failures on a continuous basis?

o 我們是否持續監控違規和系統故障？

o Are stakeholders effective and accountable to those who share responsibility for governance?

o 利益相關者是否有效地并對那些共同承擔治理責任的人負責？

o Are we conducting a top-down enterprise risk management assessment?

o 我們是否正在進行自上而下的企業風險管理評估？

Adapting to Digital Transformation

適應數字化轉型

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.

云計算的出現和商務數字化轉型的初現，對會計師事務所提供的傳統技術和服務產生了深遠的影響。采用或利用云計算的組織應獲得其云活動清單的持續更新。包括其云活動的性質、范圍和位置；進行全面的、企業范圍的、可能出錯的分析，包括與云生態系統相關的網絡安全風險和單點故障風險；執行云計算彈性分析，包括云性能、安全性和變更管理風險的ERM分析。適應數字顛覆和轉型的會計師事務所必須了解云計算對客戶業務和控制環境的影響；分析重大錯報風險和網絡安全風險；評估云控制；并管理注冊會計師事務所的QC流程和合規性的“云通知”變更。